[
https://bro-tracker.atlassian.net/browse/BIT-1090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14505#comment-14505
]
tyler.schoenke commented on BIT-1090:
-------------------------------------
Hi Seth,
I think you missed the part below where I said I modified the data structure to
be a set of subnets. Devices connecting to gihub has been firing the alert.
Since github has multiple IP ranges, I needed a set of subnets in order to
effectively whitelist. Once this is working, I think this change would be a
good enhancement request for the existing detect-bruteforcing script.
Tyler
> fatal error Val::CONVERTER
> --------------------------
>
> Key: BIT-1090
> URL: https://bro-tracker.atlassian.net/browse/BIT-1090
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Ubuntu 10.04.03 LTS, bro 2.1-179
> Reporter: tyler.schoenke
> Attachments: my-detect-bruteforcing.bro, sigsup-ssh-pass2.bro
>
>
> Hi guys,
> I get the following message when I modified a data structure in
> detect-bruteforcing.bro. I didn't get a chance to test against the current
> version, but did a quick check against the mailing lists and tracker and
> didn't see this issue mentioned.
> $ bro my-detect-bruteforcing.bro sigsup-ssh-pass2.bro
> fatal error in ./sigsup-ssh-pass2.bro, line 2: Val::CONVERTER (types/table)
> (10.0.0.1/32)
> Here is the modification to detect-bruteforcing.bro:
> const ignore_guessers: table[subnet] of set[subnet] = {} &redef;
> I found the need to whitelist from a single host to multiple subnets instead
> of a single subnet. The following minimal script will produce the error.
> cat sigsup-ssh-pass2.bro
> redef SSH::ignore_guessers = {
> [172.0.0.0/16] = set( 10.0.0.1/32 )
> };
> Any help would be appreciated.
> Thanks,
> Tyler
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
